LATEST VERSION: v1.1 - RELEASE NOTES
Pivotal Container Service v1.0

Manage Users in UAA

Page last updated:

This topic describes how to manage users with User Account and Authentication (UAA) in Pivotal Container Service (PKS).

How to Use UAAC

Use the UAA Command Line Interface (UAAC) to interact with the UAA server. You can either run UAAC commands from the Ops Manager VM or install UAAC on your local workstation.

To run UAAC commands from the Ops Manager VM, see the following SSH procedures for vSphere or GCP.

To install UAAC locally, see Component: User Account and Authentication (UAA) Server.

SSH into the Ops Manager VM on vSphere

To SSH into the Ops Manager VM on vSphere, you need the credentials used to import the PCF .ova or .ovf file into your virtualization system. You set these credentials when you installed Ops Manager.

Note: If you lose your credentials, you must shut down the Ops Manager VM in the vSphere UI and reset the password. See the vCenter Password Requirements and Lockout Behavior in the vSphere documentation for more information.

  1. From a command line, run ssh ubuntu@OPS-MANAGER-FQDN to SSH into the Ops Manager VM. Replace OPS-MANAGER-FQDN with the fully qualified domain name of Ops Manager.

  2. When prompted, enter the password that you set during the .ova deployment into vCenter. For example:

    $ ssh ubuntu@my-opsmanager-fqdn.example.com
    Password: ***********
    

  3. Proceed to the Log in as an Admin section to manage users.

SSH into the Ops Manager VM on GCP

To SSH into the Ops Manager VM in GCP, follow these instructions:

  1. Confirm that you have installed the gcloud CLI. See the Google Cloud Platform documentation for more information.

  2. From the GCP console, click Compute Engine.

  3. Locate the Ops Manager VM in the VM Instances list.

  4. Click the SSH menu button.

  5. Copy the SSH command that appears in the popup window.

  6. Paste the command into your terminal window to SSH to the Ops Manager VM. For example:

    $ gcloud compute ssh om-pcf-1a --zone us-central1-b
    

  7. Run sudo su - ubuntu to switch to the ubuntu user.

  8. Proceed to the Log in as an Admin section to manage users.

Log in as an Admin

To retrieve the PKS UAA management admin client secret, do the following:

  1. In a web browser, navigate to the fully qualified domain name (FQDN) of Ops Manager and click the Pivotal Container Service tile.
  2. Click Credentials.
  3. To view the secret, click Link to Credential next to Uaa Admin Secret. The client username is admin.
  4. On the command line, run the following command to target your UAA server:

    uaac target https://PKS-API:8443 --ca-cert ROOT-CA-FILENAME
    Replace PKS-API with the URL of your UAA server. You configured this URL in the UAA section of Installing and Configuring PKS. Replace ROOT-CA-FILENAME with the certificate file you downloaded in Configure Access to the PKS API. For example:
    $ uaac target api.pks.example.com:8443 --ca-cert my-cert.cert
    

    Note: If you receive an Unknown key: Max-Age = 86400 warning message, you can safely ignore it because it has no impact.

  5. Authenticate with UAA using the secret you retrieved. Run the following command, replacing ADMIN-CLIENT-SECRET with your PKS UAA management admin client secret:

    uaac token client get admin -s ADMIN-CLIENT-SECRET

Grant Cluster Access to a User

To allow a user to access clusters in PKS, do the following using UAAC:

  1. Target your UAA server using uaac target https://UAA-URL:8443. Replace UAA-URL with the domain name you configured in the UAA pane of the PKS tile. For example:

    $ uaac target https://api.pks.example.com:8443

  2. Authenticate with UAA using the secret you retrieved in the previous section. Run the following command, replacing UAA-ADMIN-SECRET with your UAA admin secret:

    uaac token client get admin -s UAA-ADMIN-SECRET

  3. (Optional) Create a user by running uaac user add USERNAME --emails USER-EMAIL -p USER-PASSWORD. For example:

    $ uaac user add alana --emails alana@example.com -p password

  4. Assign a scope to a user to allow them to access Kubernetes clusters. Run uaac member add UAA-SCOPE USERNAME, replacing UAA-SCOPE with one of the following UAA scopes:

    • pks.clusters.admin: Users with this scope have full access to all clusters.
    • pks.clusters.manage: Users with this scope can only access clusters they create.

    For example:

    $ uaac member add pks.clusters.admin alana


Please send any feedback you have to pks-feedback@pivotal.io.

Create a pull request or raise an issue on the source for this page in GitHub